This is obvious when you make the application you want to make secure. This is also my concern. To do this, I conducted thorough research and gathered information that helps protect the PHP site.
ITEMS TO BE CONSIDERED TO ENSURE PHP SECURITY
- Use strong password encryption
a. Use the pop-up word for strong encryption.
2. Never trust user inputs. Consider each variable: $ _POST, $ _GET, $ _COOKIE, $ _SESSION, $ _SERVER, as if they were corrupted. Use appropriate filtering measures for these variables.
To avoid an XSS attack, use the php built-in functions htmlentities, strip_tags, etc., inserting user input into the database. [function (3) below will fix this problem]
Use the special sanitize function to avoid SQL injection and other malicious actions.
Disable global registers in PHP.INI
Disable "allow_url_fopen" in PHP.INI
Do not store sensitive data in cookies, as cookies can be stolen.
Check for hexadecimal attacks. Clear user input to filter hex codes.
9. Do not allow the user to enter more data than required. Confirm your entry to allow the maximum number of characters. Also check each field for the appropriate data types.
Disable error reporting after the development period. He can provide database information that will be useful to hackers.
Hide the file extension in the browser. Use URL rewriting methods.
For the login system, disconnect the user after unsuccessful login attempts.
Record IP address for each input.
For all logins, create a system so that the user can change his password after the Xth day of days for security reasons.
In the admin panel, a report should be available for each login (failed logins, login attempts, etc.). Note: - This will be useful for IP tracking, which often causes unsuccessful login attempts. And we can prohibit such IP addresses through .htaccess to gain access to the system.
Automatically shutdown users from the system after X minutes of inactivity.
When a user requests a password change, prevents the user from saving previous passwords.
Disable php functions like exec, eval, shell_exec etc. from the server.
Server Security Disable directory listing via .htaccess. Place the index.html file in each directory, such as images, css, documents, etc.
Make the following settings on PHP.INI (on the production server)
a. Disable allow_url_encode b. Display_errors = off c. Log_errors = on d. Log_errors_max_len = 0 e. Ignore_repeated_errors = off e. Ignored_repeated_source = off g. Track_errors = off
- Use a one-time token when submitting the form. If the token exists and matches the form message, otherwise it is invalid.
PHP Code : $token = md5 (uniqid (rand (), true)); $_SESSION["token"] = > $token;
> HTML Code : <form> <input type="hidden" name="token" value="<?php echo > $token;?>"> </form>
Limit the length of the input field to avoid an attack using the OVERFLOW browser. For example: - PHP is a high-level language, its memory allocation is not limited, but by the end of the day when the page is executed, it is APACHE that processes things. Apache was made in C, which has a strict memory allocation rule. Big data in the input field can affect the behavior of Apaches.
The length of the database field for each data type must not exceed the actual requirement.
Hackers policy - βIf you cannot defeat them, turn them offβ Example: - must check users who access the application. If hackers cannot get into the ruin app, they will certainly try to negatively impact the app on their level best. Theyll try to run the application in an endless loop. This will slow down the application, drainage server throughput and sometimes even server failure. Consequently, tracking these actions will be massive losses.
Disconnect all unwanted and unused php extensions and modules from PHP.INI for better performance. For example: - if we use mysql as databases, there is no point in providing postgre, sqllite, mssql and oracle database extensions.
Avoid using obsolete PHP functions. Note. - Deprecated features are no longer supported by the PHP team. Therefore, it is wise to avoid using legacy features.
Some serious developers make mistakes. Example:. If you are passing through the record identifiers in the query string for the publication without checking, make sure that they are: a) Valid (this record exists) and b) The record belongs to the user requesting it or the user has permission to view this record.
Good web hosting. Note. In most cases, even a securely encoded application, problems and problems can arise due to a poor web host. If the application is hosted on a remote server, getting a good web host with a reputation for security. Say NO to shared hosting.
For example: There are many cases when people report that βmy site was hackedβ, when in fact it allowed their shared hosting by another user on the same server to increase their privileges.
Disabling external IP addresses. If the application needs to be run only from a specific location, then disabling IP addresses other than that specific location.
Using stored procedures Using stored procedures will greatly enhance security. Otherwise, use a Parameterized query if using a raw query.
Application Testing: Testing the application by entering random values. This should be done by someone who is not a development team.
Indicate what you need to remember. Whether we use .NET, Java, or PHP, the security issue is not a problem with the language we choose. Security issue is a problem with how the application is programmed. With poor programming, even .NET and Java applications are equally vulnerable.
PHP code encryption. Encrypt the PHP code on the production server using an encryption tool such as IONCUBE (http://www.ioncube.com/) to make php secure code against unauthorized changes. IONCUBE costs $ 199 at the time of writing this document.
Use available tools like Havij, Acunetix, Netsparker, etc. to check the vulnerability in the application. And hiring someone to hack a web application will be very helpful.